Home | History | Annotate | Download | only in scripts
      1 #!/bin/sh
      2 
      3 # Copyright (c) 2013 The Chromium Authors. All rights reserved.
      4 # Use of this source code is governed by a BSD-style license that can be
      5 # found in the LICENSE file.
      6 
      7 # This script generates two chains of test certificates:
      8 #    1. A1 (end-entity) -> B (self-signed root)
      9 #    2. A2 (end-entity) -> B (self-signed root)
     10 #
     11 # In which A1 and A2 share the same key, the same subject common name, but have
     12 # distinct O values in their subjects.
     13 #
     14 # This is used to test that NSS can properly generate unique certificate
     15 # nicknames for both certificates.
     16 
     17 try () {
     18   echo "$@"
     19   "$@" || exit 1
     20 }
     21 
     22 try rm -rf out
     23 try mkdir out
     24 
     25 echo Create the serial number and index files.
     26 try /bin/sh -c "echo 01 > out/B-serial"
     27 try touch out/B-index.txt
     28 
     29 echo Generate the keys.
     30 try openssl genrsa -out out/A.key 2048
     31 try openssl genrsa -out out/B.key 2048
     32 
     33 echo Generate the B CSR.
     34 CA_COMMON_NAME="B Root CA" \
     35   CERTIFICATE=B \
     36   try openssl req \
     37     -new \
     38     -key out/B.key \
     39     -out out/B.csr \
     40     -config redundant-ca.cnf
     41 
     42 echo B signs itself.
     43 CA_COMMON_NAME="B Root CA" \
     44   try openssl x509 \
     45     -req -days 3650 \
     46     -in out/B.csr \
     47     -extfile redundant-ca.cnf \
     48     -extensions ca_cert \
     49     -signkey out/B.key \
     50     -out out/B.pem
     51 
     52 echo Generate the A1 end-entity CSR.
     53 SUBJECT_NAME=req_duplicate_cn_1 \
     54   try openssl req \
     55     -new \
     56     -key out/A.key \
     57     -out out/A1.csr \
     58     -config ee.cnf
     59 
     60 echo Generate the A2 end-entity CSR
     61 SUBJECT_NAME=req_duplicate_cn_2 \
     62   try openssl req \
     63     -new \
     64     -key out/A.key \
     65     -out out/A2.csr \
     66     -config ee.cnf
     67 
     68 
     69 echo B signs A1.
     70 CA_COMMON_NAME="B CA" \
     71   CERTIFICATE=B \
     72   try openssl ca \
     73     -batch \
     74     -extensions user_cert \
     75     -in out/A1.csr \
     76     -out out/A1.pem \
     77     -config redundant-ca.cnf
     78 
     79 echo B signs A2.
     80 CA_COMMON_NAME="B CA" \
     81   CERTIFICATE=B \
     82   try openssl ca \
     83     -batch \
     84     -extensions user_cert \
     85     -in out/A2.csr \
     86     -out out/A2.pem \
     87     -config redundant-ca.cnf
     88 
     89 echo Exporting the certificates to PKCS#12
     90 try openssl pkcs12 \
     91   -export \
     92   -inkey out/A.key \
     93   -in out/A1.pem \
     94   -out ../certificates/duplicate_cn_1.p12 \
     95   -passout pass:chrome
     96 
     97 try openssl pkcs12 \
     98   -export \
     99   -inkey out/A.key \
    100   -in out/A2.pem \
    101   -out ../certificates/duplicate_cn_2.p12 \
    102   -passout pass:chrome
    103 
    104 try cp out/A1.pem ../certificates/duplicate_cn_1.pem
    105 try cp out/A2.pem ../certificates/duplicate_cn_2.pem
    106